560SampleReportV3.0

8/10/2019 560SampleReportV3.0

http://slidepdf.com/reader/full/560samplereportv30 1/18

Sensitive: The information in this document is not to be disclosed outside of

Target Widgets, Inc. or PenTest, Inc. without prior written consent of both

organizations.

Example Pen Test Report ©2008 SANS and Ed Skoudis

Internet Infrastructure

Network Penetration Test

Final Report

Prepared for Target Widgets, Inc.

By PenTest, Inc.

September 15, 2009





organizations.


2

Table of Contents1. Executive Summary.....................................................................................................3

2. Introduction .................................................................................................................53. Test Methodology........................................................................................................7

4. Findings .....................................................................................................................124.1 High-Risk Findings............................................................................................13

4.1.1 VNC Offers Remote Control of Mail Server Across Internet ...................134.1.2 Guessable Password Allows for Remote Compromise of Mail Server.....13

4.1.3 Unpatched Windows Machine on DMZ Allows Exfiltration of PII .........144.1.4 High-Risk: Unencrypted PII on DMZ Server............................................15

4.2 Medium-Risk Findings ......................................................................................164.2.1 OpenSSH Flaw Could Allow Unauthorized Access on Linux Server ......16

4.2.2 Excessive Open Ports Indicates Lax Firewall Rules and Hardening.........165. Conclusions ...................................................................................................................18





organizations.


3

1. Executive SummaryThis report presents the results of a penetration test of Target Widget’s Internet

Infrastructure performed by PenTest, Inc. from March 8, 2009 to March 22, 2009. Thetest’s scope focused on Internet-accessible systems on the 192.168.14/24 and

192.168.18/24 subnets, which make up the primary DMZ for Target Widgets. The

project was focused on finding and exploiting server-side vulnerabilities in a network penetration test to determine Target Widget’s business risk profile associated withInternet-based attacks. Client-side testing, web application manipulation, denial of

service, and social engineering were not included in the scope of the project.

As described in more detail in the technical findings in the rest of this report, PenTest,Inc. discovered significant security vulnerabilities in the target infrastructure that pose a

high-risk to Target Widget’s business. In particular, PenTest’s personnel were able to gain access to Personally Identifiable Information (PII) of over 4 million Target Widgets

customers. If a malicious attacker were to exploit these flaws to steal this sensitiveinformation, Target Widgets could face brand tarnishment, government investigations,

and possibly fines, with significant impact to its business. Compared to other companiesin the widget industry, the security of Target Widget’s Internet DMZ was found to be

relatively weak.

To address these issues, PenTest, Inc. recommends that Target Widgets employ a seriesof short-term tactics and long-term strategies to improve security. From a short-term

perspective, PenTest, Inc., recommends that Target Widgets conduct the followingactions within one week or less to prevent malicious attackers from compromising the

PII:• Block inbound Virtual Network Computing (VNC) access to DMZ systems from

the Internet, managing them from the local console or internal network until

Target Widgets selects and deploys a suitably secure remote management tool.• Change the easy-to-guess passwords for all accounts, especially any accounts

used for system administration, on machine 192.168.14.21, the mail server on the

DMZ. Investigate this machine to determine if malicious attackers compromisedthe system prior to the PenTest, Inc. project.

• Update patches of all software on the database server at 192.168.14.57 to lowerthe chance that it can be compromised. Target Widgets personnel should likewiseanalyze this machine to determine whether it has been compromised by attackers.

• Apply an encryption solution to protect all PII stored on sensitive machines,especially on the database server at 192.168.14.57.

While these recommendations will deal with the immediate issues discovered during thetest, PenTest, Inc. recommends that Target Widgets’ management institute significantchanges in the overall security practices of the DMZ environment to ensure that these or

related issues do not recur. From a longer-term perspective, PenTest, Inc. recommendsthat Target Widgets apply the following recommendations over the next thirty-to-sixty

days:





organizations.


4

• Select and deploy a secure solution for remote management of servers across theInternet that relies on strong encryption, such as Secure Shell (SSH), IPsec Virtual

Private Networks (VPNs), or Secure Sockets Layer (SSL). The solution shouldalso utilize strong authentication, such as one-time passwords, time-based

authentication tokens, or challenge/response tokens.•

Deploy and configure password-complexity enforcement tools on all DMZsystems to prevent users from choosing easy-to-guess passwords. Once suchtools are deployed, require users to change their passwords.

• Update the patching policy and process of all servers on the DMZ to ensure thatcritical patches are tested and deployed within 24 hours of release by the vendor.

• Devise and apply updated hardening documentation for secure configuration ofeach machine on the DMZ, focusing specifically on disabling unneeded services.

• Review the filtering rules on border firewalls and routers, reconfiguring the

devices to close all unneeded ports and services on both an inbound and outbound

basis. Allow only those ports with a clear, well-documented business need.• Determine whether there is a business need to store PII information on the DMZ

at all. If such access is not required, redesign the associated applications andnetwork so that PII information can be stored on an internal protected network.

• Verify the use of encryption for sensitive data throughout the enterprise, ensuringspecifically that PII is properly encrypted both in transit across the network and at

rest in databases and file systems.

Any questions regarding this report or the penetration test it describes should be directedto John Smith, the technical lead of the project from PenTest, Inc., at

[email protected] or 555-555-5555.





organizations.


5

2. Introduction

At the request of Target Widgets’ security team, PenTest, Inc. performed a network

penetration test of the company’s Internet infrastructure from March 8 to March 22,2009. The goal of the test was to determine whether an attacker on the Internet could

gain access to Personally Identifiable Information associated with Target Widgetscustomers. The scope of the project focused on network penetration testing of accessible

services across the Internet. Client-side testing, web application manipulation, denial ofservice, and social engineering were not included in the scope of the project

As described in more detail in the technical findings in the rest of this report, PenTest,

Inc. discovered significant security vulnerabilities in the target infrastructure that pose ahigh-risk to Target Widget’s business. In particular, PenTest’s personnel were able to

gain access to Personally Identifiable Information (PII) of over 4 million Target Widgetscustomers. If a malicious attacker were to exploit these flaws to steal this sensitive

information, Target Widgets could face brand tarnishment, government investigations,

and possibly fines, with significant impact to its business. Compared to other companiesin the widget industry, the security of Target Widget’s Internet DMZ was found to berelatively weak.

The testing was performed under the supervision of Target Widgets employee Jane Doe

with all tests originating from PenTest Inc.’s security labs located in Big City. Table 1lists the personnel that participated in the test and analysis activities.

Table 1: Personnel Involved in the Project

Name Company Role in Project Contact Information

John Smith PenTest, Inc. Tester and testtechnical lead

[email protected] or 555-555-5555

Sally Johnson PenTest, Inc. Tester [email protected] or 555-555-5556

Jane Doe Target Widgets,Inc.

Projectcoordinator

[email protected] or555-555-1111

Sam Brown Target Widgets,Inc.

DMZ systemadministrator

[email protected] or555-555-2222

The test focused on the Target Widgets Internet Infrastructure and its related systems,

including servers, firewalls, routers, and other equipment located on the 192.168.14/24and 192.168.18/24 subnets. At the outset of this “crystal box” test, Target Widgets

personnel provided this network address information, along with a network diagramindicating the overall topology of the network and the operating system type of each

target machine. PenTest personnel found that the network diagram accurately reflectedthe composition of the target network. No deviations were found between the diagram





organizations.


6

and the tested target infrastructure. According to Target Widgets personnel, all systemsin the target range were owned and operated by Target Widgets; the scope of the test

included no systems belonging to other organizations.

Manual testing occurred during normal business hours, from 9:00 AM until 6:00 PM

Eastern Time throughout the duration of the project. Lengthy scans and automated password guessing tests were conducted around the clock, as allowed for in the project’sRules of Engagement. Each day through the project, Target Widgets employees and

PenTest consultants conducted a debriefing conference call, during which the teamdiscussed the progress and findings for that day.





organizations.


7

3. Test MethodologyPenTest, Inc. applied our comprehensive network penetration testing methodology to

conduct this project. This methodology is broken into three phases, associated withmapping the network, scanning for vulnerabilities, and exploiting vulnerabilities to

determine the business risk they pose to the enterprise. Each of these phases, as well asPenTest’s discoveries and analysis during each phase, are described in this section.

Phase 1: Map and Identify Active Devices.

The goal of this phase of the project is to discover systems in the target environment,essentially mapping the attack surface for the remaining phases. Even in a crystal box

test (in which target system personnel provide the testers with a diagram and inventory oftarget machines), PenTest, Inc. still applies this phase to verify the information provided

at the outset of the test. To discover potential target machines, PenTest, Inc. appliesnumerous methods, including:

• Whois Lookups: PenTest personnel look up the domain names provided in the

project scope to identify the DNS server as well as contact information for targetsystem personnel. We verified these whois registration records with TargetWidgets personnel, who confirmed that the information in them was accurate and

up to date.• DNS Zone Transfer: PenTest personnel connect to the primary, secondary, and

tertiary name servers of the target organization and attempt a zone transfer for alldomains included in the scope of work. For this test, we were not successful in

performing a zone transfer, because Target Widgets has likely blocked suchaccess from arbitrary hosts on the Internet.

• DNS Reverse Record Lookup: PenTest personnel use automated tools to send aseries of DNS queries looking for reverse records (PTR record type) that map IP

addresses to domain names for all Internet-accessible addresses included in thescope of work.

• Search Engine Queries: PenTest personnel send a series of requests to theGoogle, Yahoo, and Microsoft LiveSearch search engines, looking for evidence

of target machines that fall within the scope of the project.• ICMP sweeps: PenTest personnel send a series of Internet Control Message

Protocol (ICMP) packets to each address in the target network range to determinewhich addresses respond. Our tools send ICMP Echo (ICMP type 8), AddressMask (ICMP Type 17), and Timestamp (ICMP Type 13) request messages,

looking for a response.• TCP sweeps: PenTest sends a series of TCP packets to widely used ports to

determine if a response comes back from target addresses. In particular, we sendSYN packets as well as ACK packets to TCP ports 21, 22, 23, 25, 80, 135, 139,

443, and 445, looking for either SYN-ACK or RESET responses coming backthat may indicate a target machine using the given address.





organizations.


8

• UDP sweeps: PenTest also sends UDP packets into the target network on UDP port 53, looking for either UDP or ICMP Port Unreachable responses back, each

indicative of a potential target machine.

After discovering each target, PenTest personnel then applied operating system

fingerprinting, using all of the applicable tests in the second generation fingerprintingtechniques of Nmap as well as Xprobe2 to identify the operating system type. It isimportant to note that host discovery is an iterative process applied throughout the

project. When PenTest personnel compromise a target system in Phase 3 (described below), we verify with target system personnel that the newly compromised machine can

be used to apply sweeping activities to find additional targets within the scope of the project. Of particular interest, PenTest personnel identified the db8 system, which held

sensitive PII, by launching a ping sweep using ICMP Echo messages from thecompromised mail server (mail.targetwidgets.tgt) on the DMZ.

Applying each of these methods, PenTest personnel developed the list of target machines

shown in Table 2.

Table 2: Target Systems Identified During Network Mapping Activities

IP Address Machine Name Operating

System Type

How Discovered

192.168.14.21 mail.targetwidgets.tgt Windows 2003

Server

ICMP Echo Request

192.168.14.22 staging.targetwidgets.tgt Windows 2003

Server

Reverse DNS

lookup (PTR record)

192.168.14.57 db8 (Because there was

no record in DNS forthis machine, this name

information wasgathered from nbtstat

running on mail serverand compromise of the

host itself with thehostname command).

Windows 2000

Server

Discovered via ping

sweep (ICMP Echorequest) from

compromised mailserver

192.168.14.21.

192.168.18.89 appsrv.targetwidgets.tgt Linux kernel 2.6 Google searches forsite:targetwidgets.tgt

192.168.18.3 www.targetwidgets.tgt Linux kernel 2.6 Google searches for

site:targetwidgets.tgt

192.168.18.9 www2.targetwidgets.tgt Linux kernel 2.6 TCP SYN sweep for

port 80

192.168.18.14 No name Windows 2003

Server

TCP SYN sweep for

port 445

192.168.18.18 No name Linux kernel 2.6 UDP sweeps for





organizations.


9

port 53

192.168.18.53 dns.targetwidgets.tgt Windows 2003Server

Whois lookup

Phase 2: Scan Active Devices for Vulnerabilities.In this phase of the test, PenTest personnel began with a port scan of all discovered target

machines, scanning TCP ports 0 through 65,535 and UDP ports 1-1024. As agreed to byTarget Widgets personnel, our TCP scans focused on half-open SYN scans using Nmap’s

“normal” timing options. For the most part, we found that Target Widgets firewalls blocked the vast majority of inbound traffic, allowing in only traffic associated with the

business purpose of a given host. There were four systems that were an exception to thisgenerally good filtering, as noted in Finding 4.2.2.

After determining the open ports on the target systems, PenTest personnel proceeded to

perform version scanning of the machines using Nmap’s version scanning functionality

as well as The Hacker’s Choice (THC) Amap. These tools gather information about theversion of the protocol spoken by each listening port and/or the version of softwarelistening on each port. We found no unusual versions or protocols on the target

machines. PenTest personnel did find that one of the target machines allowed inboundVirtual Network Computing (VNC) access from the Internet on TCP port 5900, requiring

password-based authentication using the latest VNC protocol version spoken by VNC4.X for remote GUI control of this mail server at 192.168.14.21. This issue is discussed

in more detail in Finding 4.1.1.

We next proceeded to conduct a vulnerability scan using Tenable’s Nessus scanner with acommercial feed of plug-in updates from March 5, 2009. PenTest personnel tested all of

the latest plug-ins in our labs before running them against Target Widgets systems toensure the plug-ins performed as expected. The initial Nessus scan against the target

machines also found the VNC service listening on the mail server. Nessus also found anolder version of OpenSSH that is subject to authentication bypass on the Linux

application server at 192.168.18.89, although we were unable to successfully exploit thisissue, as described in detail in Finding 4.2.1. And, finally, Nessus found an unusually

large number of listening ports on four servers on the 192.168.18 subnet, indicative of laxfirewall rules and a lack of system hardening to disable or filter unneeded services. In

short, Nessus verified many of our Nmap and Amap findings.

Phase 3: Exploit Vulnerabilities.

In this phase of the test, PenTest personnel attempted to exploit the issues identified inPhase 2 to gain access to target machines and determine the business risks associatedwith any discovered vulnerabilities. We began by building a custom dictionary for

password guessing by crawling Target Widget’s own website at www.targetwidgets.tgt tocreate a unique list of words. To accomplish the password guessing attack within the

two-week time span of the project, we trimmed down the list of words to just over 1,000





organizations.


10

entries. We then configured THC Hydra tool to conduct the password guesses against theVNC service running on the mail server at 192.168.14.21.

While the password guessing attack ran, PenTest personnel attempted to exploit the

OpenSSH authentication bypass vulnerability manually using publicly available exploit

code against the target system. All of our attempts at OpenSSH exploitation failed, because the exploit requires the attacker to first gain access to the public key of a user onthe machine to bypass authentication. Even though successful exploitation was

impossible, Target Widgets personnel should still upgrade this potentially vulnerableversion of OpenSSH to a more recent version that does not have this flaw.

The VNC password-guessing attack had ran for 40 consecutive hours (just under two

days) when it successfully guessed a password on the mail server machine using a blankaccount name. The password was a simple variation of words gathered from the Target

Widgets web page, with some nominal substitutions of numbers in place of some letters.Using this password, PenTest personnel gained control of the GUI for this Windows

machine. The GUI console of the system was left logged on, giving us complete controlof the desktop of the machine and full access to all information stored on the system.

Because this system sends and receives all e-mail to and from Target Widgets personnel,we could have intercepted or changed any clear-text Target Widgets e-mail entering or

leaving the company. While certainly a cause for concern, this interception of e-mailtraffic via VNC control of the mail server was not the most significant risk posed by the

security weaknesses we identified.

From our vantage point controlling the GUI of the mail server, PenTest personnelinvoked a command prompt on this Windows 2003 box. After checking with target

system personnel, we loaded the fgdump password-dumping tool onto this machine sothat we could extract its password hashes for cracking using the traditional John the

Ripper password cracker and the Rainbow-Tables-based Ophcrack tool. While wecracked the administrator password for this machine, we found that this password could

not be used to access any other systems within the scope of the project.

However, we used the command shell running on the mail server system accessed viaVNC to conduct a ping sweep of the DMZ using only built-in Windows tools (a FOR

loop in a simple script on Windows pinged all of the available addresses on the DMZ).This sweep revealed another system not discovered by our automated scans earlier in the

test. We discovered a target server at 192.168.14.57. Using the nbtstat command onWindows, we determined that this server was named db8, a database server on the DMZ.

With permission from target system personnel who carefully monitored the target

machines while our test occurred, we loaded Netcat on the target Windows mail server at192.168.14.21. We used Netcat to create a relay that would forward any inbound traffic

from the mail server on TCP port 445 to the newly discovered db8 server on the DMZ.We then proceeded to attempt a series of exploits against the db8 server through the relay





organizations.


11

running on the mail server using exploits from the Metasploit framework. PenTest personnel found that the exploit associated with MS06-040, a vulnerability in the

Windows server service, could successfully exploit the target machine to gain shellaccess of the database server with local SYSTEM privileges. We used the exploit to

make a reverse shell connection from this database server back to our machines at

PenTest labs.

With this SYSTEM-level shell on the database machine, PenTest personnel began

analyzing the file system to determine whether any sensitive information was located onthe machine. This database system included a clear-text file called transaction_log.db

that contained the account name, credit card number, expiration date, mailing address,and other sensitive information for over 4 million Target Widgets customers. Based on

the rules of engagement and our standard procedures for conducting penetration tests,PenTest personnel neither looked at nor downloaded all of the contents of this file.

Instead, we merely sampled the first few lines of the file to verify the information that itcontained (specifically, that it included one account entry per line). We then counted the

number of lines in the file using the command:C:\> type transaction_log.db | find /c /v ""

The output of this command indicated that 4,039,123 individual accounts were in the file,each containing sensitive PII for Target Widgets customers, as shown in Figure 1.

Figure 1: Output of Commands on Database Server with PII

At the end of the project, we removed the software we installed on the target machine

(Netcat). This was the only change made to target machines, and it was rolled back putting the machines in their original state. No other changes were made to target

systems during the course of the project





organizations.


12

4. FindingsThroughout the remainder of this document, each vulnerability or risk identified has been

labeled as a Finding and categorized as a High-Risk, Medium-Risk , or Low-Risk , whichare defined as:

•

High-Risk findings are critical. These vulnerabilities should be addressed promptly because they may pose an immediate danger to the security of the

networks, systems, or data.• Medium-Risk findings should be addressed in a timely manner.

• Low-Risk findings should be noted and implemented at a later date, but may not pose a real threat to the network and connected systems at this time.

Each category of finding (High, Medium, and Low) is included as its own subsection.

No low-risk findings were identified during this project.





organizations.


13

4.1 High-Risk Findings

4.1.1 High-Risk: VNC Offers Remote Control of Mail Server AcrossInternet

Vulnerable Target: Mail Server at 192.168.14.21

Level of Risk: High

Likelihood of Exploitation: Medium

Description:

PenTest, Inc. discovered that VNC, the remote GUI control tool, was running on TargetWidget’s mail server, accessible across the Internet via TCP port 5900. VNC provides

remote control capabilities and is a convenient method by which an employee canremotely access a system’s GUI across the network. However, its convenience also

assists malicious individuals in their quest to gain remote access to a system. If VNC isconfigured with an easily guessed password, an attacker can gain complete control of the

system. Furthermore, historically, various VNC implementations, even when configuredwith a difficult-to-guess password, have had significant security issues, such as buffer

overflow flaws and authentication bypass vulnerabilities. Although the VNC servicelistening on this mail server system appeared to be fully patched, there remains the

possibility of newly discovered flaws in VNC allowing attackers to compromise systems.

Recommendations:If VNC is not needed for administration, it should be disabled and removed from the

system immediately. Furthermore, Target Widgets personnel should configure the

network firewall to block inbound VNC access on TCP 5900 and any alternative ports thegiven VNC server may be configured to use.

If there is a business need for managing the system via its GUI across the Internet,PenTest personnel recommend that Target Widgets deploy a strongly authenticated,

encrypted form of GUI access. For example, either VNC or Windows Terminal Servicesaccess can be configured to be carried across a secure, encrypted tunnel implemented via

Secure Shell (SSH) port forwarding or IPsec Virtual Private Networks (VPNs) betweenthe management system and the destination server. Alternatively, Target Widgets personnel could consider secure management tools that rely on HTTP over SSL (HTTPS)

to encrypt such interactions.

4.1.2 High-Risk: Guessable Password Allows for RemoteCompromise of Mail Server

Vulnerable Target: Mail Server at 192.168.14.21

Level of Risk: High





organizations.


14

Likelihood of Exploitation: High

Description:

PenTest, Inc. used an automated password-guessing tool to determine a password for

VNC access to the mail server. The password for this access was a trivial variation ofwords retrieved from the Target Widgets website, guessed by our tool within 40 hours ofrun time. To authenticate to the system via VNC, no user account name was required.

Using this password, PenTest personnel were able to gain complete administrativecontrol of the machine.

Recommendation:

If VNC access is required, PenTest personnel strongly recommends that Target Widgets personnel configure it to require both a username and password for authentication, not

just a password. Then, at a bare minimum, select difficult-to-guess passwords that areneither dictionary terms nor associated in anyway with the Target Widgets company. If

resources are available, we further recommend that Target Widgets personnel deploy anauthentication scheme for such encrypted system administration traffic that does not rely

exclusively on static password, and instead utilizes one-time passwords, time-basedauthentication tokens (such as RSA’s SecureID tokens), or challenge-response tokens.

4.1.3 High-Risk: Unpatched Windows Machine on DMZ AllowsExfiltration of Sensitive PII

Vulnerable Target: Database Server at 192.168.14.57

Level of Risk: High

Likelihood of Exploitation: High

Description: This machine, running the Windows 2000 Server operating system, lacks a critical patch

from Microsoft known as MS06-040. This vulnerability in the Windows Server serviceallows attackers to use free, widely available exploit code to compromise the system and

gain complete administrative control of the machine, running commands with localSYSTEM privileges. Although the db8 server on the DMZ cannot be directly accessed

from the Internet, it can be reached by compromising other hosts on the DMZ. PenTest personnel targeted this vulnerability via a flaw in the mail server machine to gain

command-shell access on this db8 system. With this command-shell access, we were

able to search through the file system and find clear-text records containing PII of TargetWidgets customers.

Recommendation:Microsoft has released a set of patches for Windows 2000, XP, and 2003 machines that

address this flaw, described at http://www.microsoft.com/technet/security/bulletin/ms06-





organizations.


15

040.mspx. PenTest recommends that Target Widgets deploy this patch immediately tothe DMZ system. In our experience, this patch has caused very few problems on

production environments, although Target Widgets personnel should quickly evaluate itin a test environment before rolling it into production.

Furthermore, we strongly recommend that Target Widgets personnel review the patchingand audit processes for all systems on the DMZ to determine why this patch wasrepeatedly missed in updates and audits. The patch and audit processes should be

carefully scrutinized and improved to avoid such issues in the future.

4.1.4 High-Risk: Unencrypted PII on DMZ Server

Vulnerable Target: Database Server at 192.168.14.57

Level of Risk: High

Likelihood of Exploitation: Medium

Description:

The db8 server includes a file called transaction_log.db that contains over 4 millionrecords with PII of Target Widgets customers without any encryption at all. Any user

accessing the file system with administrator or local SYSTEM privileges can read thefile, gaining access to very sensitive information.

Recommendation:

PenTest recommends that, at a minimum, Target Widgets personnel deploy an encryptionsolution to protect the PII information on this server. Numerous encryption products are

available on a free or commercial basis, including TrueCrypt, Gnu Privacy Guard, and

Pretty Good Privacy. Going further, PenTest personnel recommend that Target Widgetsinvestigate whether there is a business need for storing and accessing PII on the DMZ. Inmany environments, such information can be stored on internal protected networks,

usually a more secure approach than keeping the data on perimeter networks. If there isno defined business need for storing the PII on the DMZ, PenTest recommends that the

applications and network be redesigned to allow for internal storage of this sensitive data.





organizations.


16

4.2 Medium-Risk Findings

4.2.1 Medium-Risk: OpenSSH Flaw Could Allow Unauthorized Accesswithout Authentication on Linux App Server

Vulnerable Target: Linux app server on DMZ at 192.168.18.89

Level of Risk: Medium

Likelihood of Exploitation: Low

Description:

The Linux application server is running OpenSSH 2.3.1, an older version of the SecureShell tool. If an attacker can gain access to the public key of a valid SSH user on the

system, he or she could bypass normal authentication mechanisms on the box, whichshould require the user’s private key to login to the system. Based on a flaw in older

versions of OpenSSH, the private key of a user is not required. Thus, any attacker,system administrator, or user who has access to the SSH public key of a user on this

machine can gain access to the system. However, without a public of a user, PenTest,Inc. was not able to exploit this issue successfully.

Recommendation:

PenTest recommends that Target Widgets personnel upgrade the OpenSSH installationon this machine to a more recent version of the software. Furthermore, we recommend

that PenTest personnel check other servers on the DMZ and elsewhere in the enterprise tomake sure that they are running the latest versions of OpenSSH software.

4.2.2 Medium-Risk: Excessive Numbers of Open Ports Indicates LaxFirewall Rules and System Hardening

Vulnerable Target:

192.168.18.3: TCP 21,22,23,25,443192.168.18.9: TCP 80,90,6000 and UDP 53,110,500

192.168.18.14: TCP 135,139,445 and UDP 137,445192.168.18.18: TCP 32772,32773,32774

Level of Risk: Medium

Likelihood of Exploitation: Low

Description:

On the 192.168.18 subnet, PenTest, Inc. discovered many systems with a large number of ports open. Although we were not able to exploit these systems via these open ports, the

relatively high number of ports accessible on the machines is a likely sign of two





organizations.


17

conditions that should be addressed. First, the target networks appear to have rather laxfirewall rules, allowing in numerous different ports for which there is likely not a

business need. Secondly, the large number of accessible ports, especially thoseassociated with Windows Server Message Block (TCP 135, 139, and 445), X Windows

(TCP 6000), and various RPC services (TCP 32772 and up), are a possible indication that

the target machines have not been hardened thoroughly.

Recommendation:

PenTest, Inc. recommends that Target Widgets disable services on these ports without adefined business need. Hardening guides freely available at the Center for Internet

Security (www.cisecurity.org) describe how to harden many underlying operatingsystems and applications. We also recommend a review of the configuration of the

firewall(s) protecting these machines. Target Widgets personnel should configure thefirewalls to block any services that do not have a specific, documented business need.





organizations.


18

5. ConclusionsThe penetration test of Target Widgets’ Internet infrastructure performed by PenTest,

Inc., in March 2009 identified several high-risk security issues. The goal of the test wasto determine whether an attacker on the Internet could gain access to Personally

Identifiable Information associated with Target Widgets customers.

PenTest’s personnel were indeed able to gain access to Personally IdentifiableInformation (PII) of over 4 million Target Widgets customers exploiting flaws associated

with unneeded services, guessable passwords, unpatched systems, and lack of encryptionfor sensitive data. If a malicious attacker were to exploit these flaws to steal this

sensitive information, Target Widget’s could face brand tarnishment, governmentinvestigations, and possibly fines, with significant impact to its business. Compared to

other companies in the widget industry, the security of Target Widget’s Internet DMZwas found to be relatively weak.

Any questions regarding this report or the penetration test it describes should be directedto John Smith, the technical lead of the project from PenTest, Inc., at [email protected] or 555-555-5555.

560SampleReportV3.0

Documents

Transcript of 560SampleReportV3.0